http,https: protect against slow headers attack

CVE-2018-12122 An attacker can send a char/s within headers and exahust the resources (file descriptors) of a system even with a tight max header length protection. This PR destroys a socket if it has not received the headers in 40s. PR-URL: https://github.com/nodejs-private/node-private/pull/144 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
author: Matteo Collina <hello@matteocollina.com> 2018-08-23 16:46:07 +0200
committer: Rod Vagg <rod@vagg.org> 2018-11-28 11:36:34 +1100
commit: ee618a7ab239c98d945c723a4e225bc409151736 (patch)
tree: b70be2ea28bb3773d6c455a61a273cf8c5edbfb8 /lib/https.js
parent: 7bfcfc2ffe4940898cf7b70890a55eb91cbdd112 (diff)
download: android-node-v8-ee618a7ab239c98d945c723a4e225bc409151736.tar.gz
android-node-v8-ee618a7ab239c98d945c723a4e225bc409151736.tar.bz2
android-node-v8-ee618a7ab239c98d945c723a4e225bc409151736.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/https.js b/lib/https.js
index 66e76c1f05..0854c3d440 100644
--- a/lib/https.js
+++ b/lib/https.js
@@ -74,6 +74,7 @@ function Server(opts, requestListener) {
   this.timeout = 2 * 60 * 1000;
   this.keepAliveTimeout = 5000;
   this.maxHeadersCount = null;
+  this.headersTimeout = 40 * 1000; // 40 seconds
 }
 inherits(Server, tls.Server);
author	Matteo Collina <hello@matteocollina.com>	2018-08-23 16:46:07 +0200
committer	Rod Vagg <rod@vagg.org>	2018-11-28 11:36:34 +1100
commit	ee618a7ab239c98d945c723a4e225bc409151736 (patch)
tree	b70be2ea28bb3773d6c455a61a273cf8c5edbfb8 /lib/https.js
parent	7bfcfc2ffe4940898cf7b70890a55eb91cbdd112 (diff)
download	android-node-v8-ee618a7ab239c98d945c723a4e225bc409151736.tar.gz android-node-v8-ee618a7ab239c98d945c723a4e225bc409151736.tar.bz2 android-node-v8-ee618a7ab239c98d945c723a4e225bc409151736.zip